Re: Subject: openpgp card and basiccard RNG
On Fri, Feb 7, 2014 at 8:42 AM, Kostantinos Koukopoulos koukopoulos+gnupg-us...@gmail.com wrote: Makes sense, So does anyone know the version of BasicCard used for openpgp cards? Or who to contact with this question? I asked at the distributor ( kernelconcepts.de) and they said they couldn't answer such technical questions and suggested I try asking on this list. For everyone's information, fter getting in touch with ZeitCorp, the makers of the hardware and software in the OpenPGP cards in question, I received a reply from Michael Petig stating that they use the Professional BasicCard ZC7.5 which includes a hardware RNG. Of course in the end it still comes down to the question of how much we trust ZeitCorp, but I have no positive reason not to. Using these cards has risk of course but much smaller than the potential for increased security. Cheers, Konstantinos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
On 13/02/14 12:13, Kostantinos Koukopoulos wrote: Of course in the end it still comes down to the question of how much we trust ZeitCorp, but I have no positive reason not to. Using these cards has risk of course but much smaller than the potential for increased security. If you create keys on the card with the option of a local backup, or if you create normal keys which you then keytocard, the included RNG is not used for key material. I don't think it's used elsewhere (apart from the obvious GET CHALLENGE command which is used to get verbatim random numbers from the RNG). Signature generation is deterministic, and the random bytes used for an encrypted message are generated by the sender, not the card. Werner Koch had this to say about an on-card RNG[1]: Compared to actual hardware RNGs they are very limited and probaly prone to errors. there is also no way to do extensive power up tests which all other hardware RNGs require. I consider a good OS supported RNG more reliable. Considering that Werner was involved in the creation of the OpenPGP card, I think the on-card RNG isn't blindly trusted. That does beg the question: is it still used when using addcardkey and declining to use a backup? HTH, Peter. PS: I restricted your statement trust ZeitCorp to the RNG. Obviously, more possibilities exist for a manufacturer to be nasty. [1] http://lists.gnupg.org/pipermail/gnupg-users/2013-June/046901.html -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
Am Do 13.02.2014, 14:32:56 schrieb Peter Lebbing: If you create keys on the card [...], the included RNG is not used How do you want to create a key on the card without an RNG? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
On Thu, 13 Feb 2014 19:32:19 +0100 Werner Koch w...@gnupg.org wrote: ... of the specs. Not of the concrete implementation. I hesitated to sign an NDA and thus have no more insight into this than most others. You've got to sign an NDA to learn about the implementation of this security device which is supposed to be open? That sounds nasty and basically means there could even be backdoors in the implementation, not only in the underlying system... Regards, Luis Ressel signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
On 13/02/14 21:13, Luis Ressel wrote: You've got to sign an NDA to learn about the implementation of this security device which is supposed to be open? You need an NDA to get the SDK, and you can't disclose the source code for your application. You don't need the implementation details of a smartcard to write an application for it. Those NDA's are rather common in the smartcard world, where companies with a lot of money are worried you'll devise a way to watch pay-TV for free and such.[1] Although I think there's a trend towards more openness, and I learned a while ago that you can get crypto-capable JavaCards these days without requiring an NDA. HTH, Peter. PS: I might be off on the exact details, this is all from an interested observer's standpoint. [1] Yes, security through obscurity. And they need the obscurity, because the security often isn't all that well. Although they have to face the problem that DRM is defective by design, and what they're doing borders on DRM, so partly it's a fundamental problem. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
Il 13/02/2014 21:29, Peter Lebbing ha scritto: Although I think there's a trend towards more openness, and I learned a while ago that you can get crypto-capable JavaCards these days without requiring an NDA. I've been able to work on JavaCards w/o having to sign anything (except the transactions to various online stores :) ). I'd have been interested in developing for Yubikey, too, but that required an NDA with NXP for their SDK, or I couldn't access the button (and access to the button was the only reason I was interested in Yubikey in the first place!). BYtE, Diego. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
On Thu, 13 Feb 2014 21:36, ndk.cla...@gmail.com said: I've been able to work on JavaCards w/o having to sign anything (except I am not interested in those small applications on the smartcard as long as I can't scrutinize the real code, i.e. the OS. Whether those applications are written for a p-code system (JavaCard, BasicCard) or for the native CPU doesn't change anything in the equation. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
Il 13/02/2014 23:20, Werner Koch ha scritto: [JavaCards] I am not interested in those small applications on the smartcard as long as I can't scrutinize the real code, i.e. the OS. Whether those applications are written for a p-code system (JavaCard, BasicCard) or for the native CPU doesn't change anything in the equation. Then where would you stop analyzing? If you look at the OS code, there could be a backdoor in the CPU microcode. Or in the chip firmware uploader (is there an HV programming mode available? was it disabled or physically removed from the die?). And these are just the most obvious. The best we can do is trust the manufacturer and read the fine print on the datasheets. It will be more secure than a sw only implementation that runs on a connected PC. ByTE, Diego ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subject: openpgp card and basiccard RNG
On Wed, Feb 5, 2014 at 10:01 AM, Michael Anders micha...@gmx.de wrote: In my opinion a (good) PRNG seeded properly under user control is no problem. If -as the FAQ seems to tell- it is primed during production, beyond user control, this implies that normal users have to fully trust the manufacturer. A malicious manufacturer would be able to completely break privacy based on the Enhanced BasicCard without the user being able to detect this. An instance is created here, deliberately and unnecessarily, which the user has to trust. This pattern smells like a backdoor mechanism to me. I would outrighly reject to use such a card. Makes sense, So does anyone know the version of BasicCard used for openpgp cards? Or who to contact with this question? I asked at the distributor ( kernelconcepts.de) and they said they couldn't answer such technical questions and suggested I try asking on this list. http://vsre.info/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Subject: openpgp card and basiccard RNG
Hello, Aparrently the OpenPGP card is based on BasicCard [1] and from the BasicCard FAQ [2] I read: For Enhanced BasicCards, the card has no hardware generator. The Enhanced BasicCards contain a unique manufacturing number which cannot be read from outside the card. The Rnd function uses this number to generate random numbers which are different for each card. For Professional and MultiApplication BasicCards, the random number is generated by use of a hardware random number generator. Does anybody know which version of BasicCard is used for the OpenPGP cards distributed by KernelConcepts.de? If it is the Enhanced version, does the use of a pseudorandom generator pose a security risk? In my opinion a (good) PRNG seeded properly under user control is no problem. If -as the FAQ seems to tell- it is primed during production, beyond user control, this implies that normal users have to fully trust the manufacturer. A malicious manufacturer would be able to completely break privacy based on the Enhanced BasicCard without the user being able to detect this. An instance is created here, deliberately and unnecessarily, which the user has to trust. This pattern smells like a backdoor mechanism to me. I would outrighly reject to use such a card. Cheers Michael Anders ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users